Hi list, We are running FreeIPA 3.0 with an installation that has been with us since the 2.x-era. We had a situation where we needed the NT password hash, which wasn't generated in earlier versions of FreeIPA, and would not be available for old user accounts even on this newer version. New user accounts would get them set upon creation.
On #freeipa at FreeNode, ab was kind enough to guide me through the process of starting an ldap-task to add the needed attributes to the old accounts. I thought I'd share this in case anyone else would ask the same question. The procedure is also described on slide 11 in this presentation http://www.freeipa.org/images/4/49/Freeipa30_Trust_Basics.odp. 1) Make sure you have /usr/lib{,64}/dirsrv/plugins/libipa_sidgen.so and /usr/lib{,64}/dirsrv/plugins/libipa_sidgen_task.so on your system. 2) Copy /usr/share/ipa/ipa-sidgen-task-run.ldif, edit nsslapd-basedn to match your base dn. (grep basedn /etc/ipa/default.conf | cut -d= -f2-) 3) ldapadd the ldif to cn=config, to start the task. I am not sure under which circumstances when the NT hash is automagically updated, but setting a new user password did update all password fields. Best regards, Nicklas Björk _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
